I have a batch file that starts with elevated privileges (my installer spawns it), but at a certain point I need to run a command as the original user who started my installer (i.e. drop from the elevated privileges).
Is it possible to do so?
You can run a command with restricted privileges with:
runas /trustlevel:0x20000 "YourCommandHere"
You should provide the absolute path to your command including any arguments in double quotes as an argument to runas.
If you would like to run more than one command with restricted privileges, you can put them in a separate batch file and run it with:
runas /trustlevel:0x20000 "cmd /C PathToYourBatchFile"
Anyway, this will open a new console with restricted privileges. You also have to use this syntax whenever you wish to run with restricted privileges an internal command (like copy, del, etc.) as these are provided by the command line interpreter and do not have an associated path.
Note that 0x20000 is the trust level of standard users. You can list other available trust levels by running
runas /showtrustlevels
It's still a privileged program (though restricted) in Task Manager by using this command:
runas /trustlevel:0x20000 <cmd>
You can try the other way, which will make it unprivileged in Task Manager:
runas /savecred /user:%username% <cmd>
You still need to enter the password once but not every time.
Use explorer.exe to launch the program:
explorer.exe <cmd>
explorer.exe won't accept arguments for cmd, but you can create a temp script file and lauch it by explorer.exe if arguments are necessary.
Related
I wrote a little program to automate:
Taking own of a file/folder for a specified User.
Get (for the same User) FULL CONTROL of the file/folder.
Now, it is well know that takeown.exe wants cmd.exe to be run as Administrator rights. So, to do in a batch file (most of the time called from a non-Administrator cmd window), I run:
call runas /noprofile /user:"!domain!\!runasUsr!" "cmd /k takeown /f ""!entity!"" /r"
However, even though I pass as !runAsUsr! a name which is contained in the Administrators Group, I get:
ERROR: the user currently connected does not have the ownership privileges on file/folder ...
I tried setting !runAsUsr! = Administrators, but unfortunately I do not remember the password (if I even set one...). For that, I could change from computer manager (or net command), but I do not well know how that command works, so I wouldn't mess things up.
But still, I do not understand why I get that error since the User I pass is within the Administrators group..
I see from computer manager that default account for computer administration is User:Administrator of the Group:Administrators, so this might be the problem. So, how to set the other account to have same rights?
I also tried
call runas /noprofile /user:"!domain!\Administrator" "cmd /k takeown /f ""!entity!"" /r"
getting following error:
ERROR RUNAS: impossible to execute - cmd /k takeown /f "C:\Program Files\Microsoft VS Code\resources\app\extensions\css" /r
1327: restriction on user account do not allow this user to get access.
For example, empty password field not allowed, access times restrictions or application of restriction criteria.
I'm trying to test a batch file that should test for administrator privileges, but I have the weird problem that I can't run it without administrator privileges.
net session >nul 2>&1
if %errorLevel% == 0 (
rem do whatever...
Sure, I can just create another user account and run it from there, but that's a bit much effort just for one little test.
The script example above may not exactly be what I wanted because I need a general solution, for example to test if an installer can run without admin rights.
Is there an easier way? A command line argument for running something without administrator privileges maybe?
BTW, I disabled UAC if that makes any difference.
You can try with
runas /trustlevel:0x20000 "cmd.exe /c ....."
use runas /showtrustlevels to see the available levels
having an issue where a batch script of mine is changing time server REG Keys but requires admin privildges to do so, even if local user is admin.
My way around this i have found is using this line of code:
runas /noprofile /user:administrator\administrator "%UserProfile%\Desktop\Time Server.bat"
But this asks me for the admin password everytime, and i cant be doing this for 150+ users.
Can i get this command to read user details from a .txt file or .ini file?
Thank you in advanced.
OliV555
AFAIK this is not possible out of security reasons. I've spent a lot of time on this but at the end, I had to use a workaround:
Create a new task with the windows scheduler. In the interface select the admin user you want to run your script with and enter the password. Check the option to run the task with highest privileges. Let your task execute the batch file with all the code you want to run as admin. Don't enter any trigger to start your task automatically.
Now here's the trick:
To run your command with admin privileges simply execute
SCHTASKS /Run /TN <taskname>
If your local user is admin this will work straight on. Otherwise, you'll have to grant the user rights to start tasks.
EDIT: The scheduler will execute your batch file with system32 as working directory. So if you are using any relative paths in your script don't forget to adjust them or replace them with absolute paths.
I have written a batch file which starts OpenVPN. If the client is found, I check the connectivity by running PING. If the server is not found, then this means that although OpenVPN is running, the connection has not been established. At this point I want to restart OpenVPN. Because I am not using the admin account for this script, I always get the error "permission denied" when using TASKKILL /F. Is there anyway around this?
There are two methods of running a command with administrator privileges.
Solution 1:
Right-Click the batch-file and click run as admin.
Solution 2:
Use the runas command to run a command or batch file with administrative permissions. This way the process is still automate but you will still need to type in the password for administrator.
Example:
C:\> runas /user:administrator "taskkill /f /im explorer.exe"
Enter the password for administrator:
Type runas /? for more info.
if you are already the administrator, you can create a shortcut to your batch file and when you right click the shortcut -> properties -> advanced -> check the checkbox "run as administrator"
and voila!
everytime you run the batch script via this shortcut file, it will run as administrator and will kill without any discrimination, happily ever after
I don't generally write batches, but I currently have a batch that uses forfiles to copy my FLVs from one folder to another. When I run the batch manually it works every time, but from a scheduled task, it throws a (0x1) error.
forfiles -p "C:\Program Files\Adobe\Flash Media Server 4.5\applications\name\streams" -m *.flv -s -d -1 -c "cmd /c copy #file ^0x22C:\Program^ Files\Adobe\Flash^ Media^ Server^ 4.5\applications\name\output\"
Not sure what syntax the scheduled task doesn't like.
Update
Under my scheduled task, Actions I have the following:
Program/script: name.bat
Start in (optional): \\servername\file\to\batch
Hi might be this is helpful,
I also face the same issue.
Just set the startin path like:
Here start in path is the path of batch file:
like you have enter in program script:
"E:\program related files\demo.bat"
then in startin just pass:
E:\program related files & done!
When my Start in (optional): path was a UNC path, it wouldn't work. So I moved my batch on the server and everything worked correctly.
UNC in Windows Batch Files
forfiles with UNC path
On Server 2008 R2 when running the batch file under domain user credentials, with confirmed "log on as a batch job" security in the Local Security Policy>Local Settings>User Rights Assignment,
even then my batch (copying a log file to a network share) would not run as scheduled task, until I selected in tab General the option "Run with highest privileges" (default NOT checked!)
The option Run whether user is logged on or not was also selected, with radio-button, but I guess this is quite standard, when selecting to run the task using a domain user account.
For the tab Actions : specifying the entire batch file name including its path, directly in "Program/script:" works fine (with Server 2008 R2)
Using double quotes inside the batch file causes no problems.
See the screen shot bellow.
You need to change the user to system
Most common reason for such problems is permissions: scheduled tasks does NOT always run with your user credentials. If you want scheduled task to run as you you will have to set it up as you or alternative user.
Besides that I hope that your line of code is a content of your batch file, you are not trying to run this command directly. Or are you?
P.S. What are these ^0x22 and ^ doing in your code?
I know this is an old question, but just wanted to share some info.
The (0x01) error code can also refer to resources that are not found. Therefore:
all files/folders referd from within the batch file should be accessible to the user which account is being used to run that scheduled task;
pay attention when using network locations in combination with "Run whether user is logged on or not" option;
the above-mentioned option can be tricky to use because some resources may be available only after log on.
For .bat files to run inside your scheduled task, you need to specify your .bat file path inside the start option - despite the fact that your .bat file is at the same directory as your .exe. Also, I flagged it to run with highest privilege. After I have done those two things, the task suddenly takes off without any problem!